Security Incidents mailing list archives
Re: [unisog] Re: Re: Large Attack
From: "Walter G. Aiello" <Walter.Aiello () Duke edu>
Date: Mon, 04 Mar 2002 14:09:04 -0500
Greetings, Don: I replied to David Staggs at Vanderbilt as follows: Yes, I agree that a well-protected and moderated site that listed problem networks would be an excellent idea. SANS has a list of the "Top 10 Most Wanted" that contains the 10 worst offenders in the previous 5 day period. If a list such as that were combined into a list of sources and ISP's that are the least responsive, and if enough of us blocked the offenders, it might just hit their bottom line hard enough for them to start taking some responsibility. What would be very useful would be a list of ISP's and the IP addresses they control. That would enable us to completely block those ISP's without having a "dribble effect" of blocking a subnet, only to be attacked from another of their subnets, and so on. For example, Jordan Wiens provided a list of network blocks owned by France Telecom (wanadoo.fr's parent company), which has been particulary unresponsive to complaints about the hailstorm of portscanning coming from their network. Several posters evidently indicated that they were at least considering blocking all traffic from those IP ranges. I added a few subnets to his list: ---------------- 80.9.0.0/16 193.252.0.0/16 except for: 80.11.0.0/16 193.252.4.0/24 80.12.0.0/19 192.252.16.0/24 80.12.32.0/20 192.252.17.0/24 80.12.48.0/23 192.252.18.0/24 80.12.128.0/20 193.252.64.0/19 80.12.144.0/22 193.252.96.0/21 80.12.148.0/23 193.252.112.0/20 80.13.0.0/16 193.252.150.0/23 80.14.0.0/16 193.252.150.0/23 193.248.0.0/16 193.252.152.0/21 193.249.0.0/17 193.252.160.0/22 193.249.160.0/19 193.252.224.0/19 193.249.224.0/19 193.250.0.0/16 193.253.0.0/16 except for: 193.251.0.0/18 193.253.0.0/20 193.251.64.0/19 193.253.64.0/18 193.251.176.0/20 217.128.0.0/16 Something like a "Top 10" (perhaps Bottom Ten" would be more appropriate) list of ISP's and their network blocks would be extremely helpful to those of us who want to restrict access by those ISP's. Best regards and thank you. Walter G. Aiello -- Dr. Walter G. Aiello Manager, Network and Information Services Magnetic Resonance Research Section Box 3808, Department of Radiology Duke University Medical Center Walter.Aiello () Duke edu (919) 684 7519 Don Wolf wrote:
In regards to your interest in seeing "a site to list 'dirty subnets' - those subnets from which we see repeated attacks", there is a great site in which to go. DShield has been doing just that for some time. Just thought I'd point it out for those who didn't know. This link according to DShield "shows the top 10 offenders according to the DShield database". http://www.dshield.org/top10.html ___________________________________ Don J. Wolf - Security Consultant SANS/GIAC, MCP, CCNA, ICSA SecuredSite Intrusion Specialists www.SecuredSite.org
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Large Attack Douglas P. Brown (Mar 01)
- RE: Large Attack Coochey, Giles (Mar 01)
- Re: Large Attack Passion (Mar 03)
- Re: Large Attack zaire (Mar 04)
- Re: Re: Large Attack Douglas P. Brown (Mar 04)
- Message not available
- Re: [unisog] Re: Re: Large Attack Walter G. Aiello (Mar 04)
- Re: Re: Large Attack Douglas P. Brown (Mar 04)